Remote reboot using encrypted root partition
What to do if you need to reboot a server remotely, and this server uses an encrypted root partition? By default, the boot process will stop, and wait for you to type the password on the console. I'll show you, how can you enter this password remotely over an ssh connection.
Important: This guide is based on Debian Jessie. It may vary slightly on other Debian versions. However, the setup process should be fairly similar.
- You need a lightweight ssh server on the initial ramdisk.
- This small ssh server must use the same host-keys as the openssh server on your running server.
- You need a small script that asks for the password, and use it to unlock the encrypted partition.
- The update-initramfs must be modified to insert your script into the initrd always.
You need to install some packages:
apt-get install --no-install-recommends openssh-server dropbear busybox
Convert the host-key from the openssh to the dropbear in initrd:
/usr/lib/dropbear/dropbearconvert openssh dropbear \
/etc/ssh/ssh_host_ecdsa_key \
/etc/initramfs-tools/etc/dropbear/dropbear_ecdsa_host_key
Create a /root/unlock
script:
#!/bin/ash/
echo -n "Enter the key: "
read a
echo -ne "$a" > /lib/cryptsetup/passfifo
echo "Done."
Give it an execution privilege:
chmod 755 /root/unlock
Write a new hook in /usr/share/initramfs-tools/hooks/unlock
:
#!/bin/sh
. "${CONFDIR}/initramfs.conf"
. /usr/share/initramfs-tools/hook-functions
copy_exec "/root/unlock" "/bin/"
And finally update the initrd:
update-initramfs -u
After restarting the server, you can connect it via ssh while booting. You can give the password of the encrypted partition using the unlock command, and the boot process will be continue.